Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Internet Access still stopping ...
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Internet Access still stopping ... - 24.Mar.2002 2:24:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marc,
Interesting that I'm having a similar problem now. ![[Big Grin]](/image/smiles/biggrin.gif) Very strange, DNS stops working, and if I wait a little while, it comes back. Its like the Firewall service has just quit. I did a packet trace, but now I can't remember what I found ![[Wink]](/image/smiles/wink.gif) I'll do it again if I can catch it. What's interesting was that the firewall client icon went RED and said it couldn't find the server! So, this leads me to believe that something is whack with the Firewall service. However, I did NOT need to restart the firewall service; it just came back. Not a clue what caused the problem, except I noticed a spoofed packet around that time. Maybe that was the cause?
Help!
Tom
quote:
Originally posted by msgelinas:
quote:
Originally posted by Peter Amato:
I had a similar issue, except mine was inbound connections that dropped. I was using the original SP1 with no problems in an array configuration. I had about 9 IP addresses bound on my external interfaces and server publishing rules for the websites. I would generally run about 500 to 1000 simultaneous users per web site. It doesnĘt seem to stress the servers cpu or memory much. Within a couple of hours of applying the final release of SP1 (what I refer to as SP1a ), that is when everything went south. Suddenly 1 IP would stop listening, then another. I figured out if I disabled and enabled the rule for the IP, it would come back or I could restart services or I disable and enable the nic. All would work! Sometimes it would work for less than a + hour, sometimes several hours, but eventually it was going to fail again. I re-installed Win2kAS and ISA on both of my boxes, reconfigured everything as before, except I only applied the original SP1. Every thing works great again and I have not touched the servers for almost 2 weeks. No message screening for me I guess until SP2. Go figure.
Man I have reloaded the box twice already. I have tried both SPs and still it fails. I have three ISA boxs in three different locations. Two work great but have no users surfing from the inside. The one ISA box that has my corp lan on the inside craps out. Sometimes in five minutes sometimes hours apart. Some others must be seeing the same problem ? I am going nutty tryin to figure this out. ![[Confused]](/image/smiles/confused.gif)
|
|
|
|
RE: Internet Access still stopping ... - 24.Mar.2002 4:45:00 AM
|
|
|
AxleMunshine
Posts: 63
Joined: 13.Jul.2001
Status: offline
|
Tom,
Well, the symptoms are similar to the one outlined in the article. And I have SP1 installed (as well as W2K SP2). It seems to be worse with SP1. And it really looks like that I'm not the only one.
As with Marc and Peter (and maybe you?), if I restart ISA services, everything comes back OK.
And often, it's the DNS behind the firewall that is not accessible anymore. The DNS is OK, I never reboot it. It blocks at the firewall. Also often, it's Web sites on the ISA server itself that stop responding to the outside.
When I get that problem, everything from the inside the network works fine. Even the Web servers on the ISA Server work fine from the inside. It is really happening only for incoming connections.
|
|
|
|
|
RE: Internet Access still stopping ... - 24.Mar.2002 4:51:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Axle,
It seems like we are having slightly different problems, but I still think that DNS is the heart of the matter. I think I'll disable the DNS appliation filter and see if that might improve things. Those filters seem to be the root of a lot of "issues".
HTH,
Tom
|
|
|
|
RE: Internet Access still stopping ... - 24.Mar.2002 5:20:00 AM
|
|
|
AxleMunshine
Posts: 63
Joined: 13.Jul.2001
Status: offline
|
Hi Tom,
I agree that other symptoms could be due to the DNS not being accessible. This might happen to me.
Also, when remotely testing the problem I got with Web sites behing inaccessible, I also remember once getting 403 messages (something like the url or destination behing refused?) from ISA instead of seeing the Web page. Restarting ISA services did the trick...
As for the DNS Application filter, are you thinking of disabling the "DNS Intrusion Detection" filter? If it works for you, please tell us!
|
|
|
|
RE: Internet Access still stopping ... - 24.Mar.2002 8:17:00 PM
|
|
|
AxleMunshine
Posts: 63
Joined: 13.Jul.2001
Status: offline
|
Good! Still working?
I kept a reminder to come back and check this thread in a few days.
Thanks!
|
|
|
|
RE: Internet Access still stopping ... - 25.Mar.2002 11:51:00 PM
|
|
|
msgelinas
Posts: 79
Joined: 21.Sep.2001
From: Victoria,BC,Canada
Status: offline
|
Tom, Oh and also the red icon usually is because the client looses connection to the ISA server because all DNS resolution fails (Internal and External) this gets worse if you set auto detect. I ahve seen the packet filter error and have to think that it is because you disabled and re-enabled with the firewall service running. As the LAT gets momentarily screwed up if you do that.
Cheers,
|
|
|
|
|
RE: Internet Access still stopping ... - 26.Mar.2002 6:43:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marc,
Well, my test failed. I had the same problems today. Although for a very short period of time. No errors reported and nothing very interesting in the Firewall log other than the DNS server trying over and over again to complete recursion.
The packet trace just shows the client trying to resolve the name and getting a server failure message back.
I may do a test of putting the internal network servers on both in the internal and external interfaces. Not sure why this would work, but it has to do with how Win2k handles DNS name queries on multihomed machines. BUT, its interesting that I never had this problem before SP1.
Thanks!
Tom
|
|
|
|
RE: Internet Access still stopping ... - 26.Mar.2002 6:13:00 PM
|
|
|
AxleMunshine
Posts: 63
Joined: 13.Jul.2001
Status: offline
|
Hmm, bad news!
On my part, interestingly enough, it seems that the first listening failure always happen to the same server. Since my setup is also multi-homed, the bug might happen at network interface level or at the firewall level. But, I stand by my suspicion that the problem is in ISA itself. In my case, restarting ISA services does the trick... for a while.
Next time it happens, I'll try to trace more effectively the problem. Since the site for which it first fails as the same IP for the DNS and Web servers, it's hard to tell what might be failing. I'll add another secondary DNS on our network and disable the externally hosted DNS to see what resolves when the problem reappears.
I might also try the network monitor suggestion in the following thread:
Topic: Sporadic Web Site
This also looks like my symptom.
Since I have access to different remote Metaframe servers on separate networks, I can try out different things remotely to really see what happens from the oustide.
Any suggestions will be appreciated.
|
|
|
|
|
RE: Internet Access still stopping ... - 26.Mar.2002 8:43:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
Just curious, but is this happening on an ISA Server that is either:
A. also a DNS server
or
B. A domain controller
or
C. An RRAS/VPN server
Thanks!
Tom
|
|
|
|
|
RE: Internet Access still stopping ... - 26.Mar.2002 9:43:00 PM
|
|
|
upslide
Posts: 6
Joined: 24.Feb.2002
From: San Diego
Status: offline
|
Hey Tom,
The answer is D. None of the above....there is a seperate Windows DNS server which is the DC the DNS is Active Directory integrated...the firewall array is intergrated into that AD.....hope this helps!
Ben
|
|
|
|
|
RE: Internet Access still stopping ... - 26.Mar.2002 11:17:00 PM
|
|
|
msgelinas
Posts: 79
Joined: 21.Sep.2001
From: Victoria,BC,Canada
Status: offline
|
Ya same for me it is an ISA box only. It has more than enough proc & ram. Has to be a huge bug somewhere ? Is PSS working on this for anyone ?
|
|
|
|
|
RE: Internet Access still stopping ... - 27.Mar.2002 1:37:00 AM
|
|
|
AxleMunshine
Posts: 63
Joined: 13.Jul.2001
Status: offline
|
For me, the DNS Server that does not responds to external requests is not on the ISA Server. The ISA Server is a SBS 2000, so mine has a lot of stuff... Anyway, from previous posts, it does not look like it matters.
It happened again, and this time I did a nslookup remotely via a Citrix server and I can be sure that the DNS Server wasn't responding. Nothing in the ISA logs... And, boy... it happens frequently, I have a lot of trafic and it failed 3 times today! ![[Mad]](/image/smiles/mad.gif)
I added secondary servers, I hope it will help the stability from the outside.
I am seriously thinking about putting a second DNS server directly on the external network... and bypass ISA entirely. ![[Frown]](/image/smiles/frown.gif)
We need a solution! ![[Razz]](/image/smiles/tongue.gif)
Tom, any insider contacts at Microsoft? They must have tons of support calls! The situation is ridiculous!
If it can help, I can use one of my "free" MSDN calls and pretend it is happening in a test environment (which is not the case). My call would not be free for production problems (which is the case...
|
|
|
|
|
RE: Internet Access still stopping ... - 27.Mar.2002 5:15:00 AM
|
|
|
gberry
Posts: 2
Joined: 7.Mar.2002
From: AEA12, Sioux City, IA
Status: offline
|
I've been having this kind of occasional failure on one ISA server at one of our service centers (running DHCP, and RRAS to get a VPN to my main office ISAsvr). After a few occurrances, I started DNS at the service center as a secondary to the primary on the internal network at our main office, a 10.x.x.x active directory DC. Made no difference. The solution (temporary I hope) is call the secretary, have her pull the plug on the box, plug it back in and press the start button. GROSS!
Another problem, maybe related, maybe not: MS Outlook clients before firewall accessed sendmail server fine, after firewall, a lot of timeouts have been occurring. My sendmail log showed a pattern of "Unexpected EOF" errors for these clients.
I wonder if there could be an MTU problem or inconsistancy between Outlook and ISAsvr?
In my main office, the ISAsvr only does ISA and RRAS (as the "hub" to the "spokes" of our service centers), and only occasionally fails on web requests to dynamic pages, and refreshing the page usually gets that. The main site, however, has my mail server outside the firewall, but on the same ethernet network as the ISAsvr, so accesses are quite different from those of the service centers, which have to use 56k Frame Relay.
If I ever feel ISA Server can be relied on, I'll consider moving our web services inside it (They're up-to-date Mac or Linux machines, so I don't feel quite so threatened as if they were Windows machines).
|
|
|
|
|
RE: Internet Access still stopping ... - 27.Mar.2002 2:38:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Axle,
Ouch! But maybe we can use this to our advantage. Can you run two instances of Network Monitor, one for internal interface and the second for the external interface? Set the buffer size high, like 300MB+, depending on how much hard disk space you have, and then match up the time when the failure takes place with the times in the logs? Maybe we can tell what is happening by matching up the log findings with the time the failures happen.
MS would want this information anyhow ![[Smile]](/image/smiles/smile.gif)
Thanks!
Tom
quote:
Originally posted by AxleMunshine:
For me, the DNS Server that does not responds to external requests is not on the ISA Server. The ISA Server is a SBS 2000, so mine has a lot of stuff... Anyway, from previous posts, it does not look like it matters.
It happened again, and this time I did a nslookup remotely via a Citrix server and I can be sure that the DNS Server wasn't responding. Nothing in the ISA logs... And, boy... it happens frequently, I have a lot of trafic and it failed 3 times today!
I added secondary servers, I hope it will help the stability from the outside.
I am seriously thinking about putting a second DNS server directly on the external network... and bypass ISA entirely.
We need a solution!
Tom, any insider contacts at Microsoft? They must have tons of support calls! The situation is ridiculous!
If it can help, I can use one of my "free" MSDN calls and pretend it is happening in a test environment (which is not the case). My call would not be free for production problems (which is the case...
|
|
|
|
|
RE: Internet Access still stopping ... - 27.Mar.2002 2:57:00 PM
|
|
|
wjenness
Posts: 2
Joined: 6.Feb.2002
From: Whitman, MA
Status: offline
|
I'm glad to see I'm not insane! we installed our ISA box around new years and have this problem sporadically. (DNS just not forwarding anymore)... for a while we could change the dns server from using forwarders to root hints and that would work.. .then when it would fail we could change it back to forwarders and it would start working again... then that stopped being an easy fix... we called microsoft, and they assured us that it was not a problem with ISA, we ran all kinds of diags and tests (network monitor captures, etc) and then they said... 'yup, its ISA'... we never really got much of a concrete answer from them on what causes it... they had us change binding orders and all sorts of things... what we did that seems to have worked is to have firewall client installed on the internal DNS servers... however, if we reboot the ISA box then dns stops working... and the only way to get it back is to completley reboot the DNS servers... then things are happy... for a while... we have found by playing with several things we can usually get it to come back, either by enabling or disabling (whichever it isnt) the firewall client on the DNS server, changing from roothints to forwarders (or vice versa)... packet filters dont seem to matter.. .site and content rules dont seem to matter... sometimes reboots of the isa box dont seem to matter... it seems like it works when ISA decides it should work... it is quite frustrating... sometimes we go damn near a month without a problem... sometimes we go 20 minutes.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
